In this comprehensive interview with the former White House cyber policy advisor and former professor at Stanford University, I had the chance to learn about Christopher’s extensive career spanning from prosecution to international diplomacy, and his insights on the evolving cybersecurity landscape.

Christopher shared valuable perspectives on unifying diverse government viewpoints into coherent cyber policy, the evolution of cybercriminal threats from lone hackers to nation-state actors, and his concerns about the current administration's approach to AI regulation and capacity building initiatives.

Find the transcript of our conversation below.

Steph: Welcome back to Cyberlaw Dialogues. a series dedicated to creating inclusive conversations around cyber law and policy. Today, I'm honored to be joined by Christopher Painter, a former White House advisor on tech policy, prosecutor, and a leading expert in cyber diplomacy. Christopher, thank you so much for joining us. This really means a lot to me.

Christopher: Very happy to be here.

Steph: In our previous conversation, you discussed producing the 60-day cyber policy review, chairing interagency meetings that led to the first international strategy for cyberspace, and establishing a unified U.S. position on cyber policy during the Obama administration. You accomplished a lot of impressive work under the administration. Looking back, what would you say was your proudest moment, and can you walk us through your role in bringing these initiatives to life, from policy discussions to real-world implementation?

Christopher: It's hard to pick just one. I’ve been involved in various aspects of this work for over 30 years—as a prosecutor, at the White House, and later at the State Department. During my time at the White House from 2009 to 2011, when Obama first took office, there was a real focus on cyber as a priority, not just one of many competing priorities. Of all the initiatives, I’m particularly proud of launching the international strategy and making it a major area of foreign policy. It simply didn’t exist before. It was about creating something new, it was about being entrepreneurial in government, and shaping something that would grow over time. When I was at the State Department, I saw many other countries adopt that approach, integrating cyber policy into their broader foreign policy strategies. That was incredibly rewarding.

Steph: Were there any unexpected challenges that refined your approach to policy making in cyberspace?

Christopher: Yes. When we started the international strategy, it emerged from the 60-day policy review that Obama had ordered. One of its recommendations was to unify our position on cyber policy, particularly internationally. Even within the same agency—like the State Department—there were different perspectives depending on whether you spoke with the human rights folks, the cybersecurity folks, the counterterrorism folks, or the arms control people. These divisions were magnified across the entire government. The challenge was to unify these diverse viewpoints into a single narrative.

I remember our first meeting with around 14 different agencies—economic agencies, security agencies, human rights representatives. They didn’t even speak the same language. Security and intelligence officials talked about cybersecurity and cyberspace, while economic experts focused on internet policy, and human rights advocates had a completely different framework. You didn’t even have a commonality of language. What I thought was interesting was that over a year and a half, we crafted a strategy that brought these perspectives together into a coherent policy framework. The final strategy covered economic aspects, cybersecurity and stability, military considerations, and human rights—tying it all to a broader goal of creating an interoperable, reliable, and secure information infrastructure. It was a major step toward a unified approach in the U.S. government and international discussions. This was the first strategy in the world. It was a big deal to get everyone to sing the same song and be able to have these agencies carry those messages forward. 

But it was challenging—dealing with those linguistic differences, dealing with those different viewpoint differences, dealing with the inherent conflicts that can arise between those different communities on some of these issues, was difficult. But I think it was really rewarding to get them all to come together, to understand the different viewpoints and to have a more unified mission.

Steph: That’s incredible to hear, thank you so much for sharing. Moving into the cybercrime realm, who were the most significant cyber threat actors when you first entered the field, and how has the threat landscape evolved? In particular, how has the U.S. government’s approach changed across the Obama, Trump, and Biden administrations?

Christopher: When I started as a federal prosecutor focusing on cybercrime, it was serious but not well understood by the public. Society—from banking to communication to social life—wasn’t as dependent on technology as it is now. Back then, high-profile hacking cases made front-page news, like the Mitnick case, but people didn’t grasp the full implications. They were disruptive, but people didn’t understand how serious they were. We had some resources—FBI, the U.S. Attorneys' offices—but they were limited, and there was a prevailing belief in online anonymity.

Over time, the landscape changed dramatically. You still have script kiddies, and lone gunman hackers, as I call them, but you have much more of a couple different things. We now have transnational organized criminal groups, particularly with ransomware. Nation-states have also become more involved, not just for political goals but financial ones—for instance North Korea, who has a political goal, but is also trying to get hard currencies so they engage in fraud and attacking things like the Bank of Bangladesh. The sophistication of attackers has increased, and our dependence on digital infrastructure has made us more vulnerable.

We had a pretty good cyber crime law, which we have amended a couple times, 18.USC.1030. A lot of the rest of the world didn't, but now many countries in the world, because of the Budapest Cybercrime Convention, have the basic laws in place. And now there's been a new UN convention, so maybe more countries will sign up for either the Budapest or a new convention. Back then, you didn’t have much substantive crime to punish. Nowadays, we do. In response, I’ve seen maturity in terms of legal structures, training for law enforcement, which is critically important international cooperation, like the 24/7 network that I helped run at one point, that was started through the G8 and many more successful transnational takedowns of groups.

However, ransomware has become particularly pernicious. And the bad thing about that obviously, it's disruptive. It targets even hospitals and others. The only silver lining is, governments and businesses take cybersecurity more seriously. Under the Biden administration, ransomware became a G7 priority and led to the creation of the Counter Ransomware Initiative, which now includes 68 countries. That level of attention is critical to making progress.

Steph: Shifting to AI, there’s been a lot of discussion about its role in cybersecurity. AI models are advancing rapidly, like with what we’re seeing with DeepSeek. What opportunities does this present for cybersecurity, and what risks do you see?

Christopher: I think cybersecurity companies are rightly relying on AI to automate responses, but even more importantly, to analyze vast amounts of alerts. However, attackers are also using AI to craft more sophisticated phishing attacks and adapt their methods in real-time. On the other hand, we've been quite worried about attackers using artificial intelligence to craft better attacks and to be more nimble. It will be a constant cat-and-mouse game.

Steph: Cybercrime costs are projected to hit $10.5 trillion this year, making it the world’s third-largest economy. Just recently, on February 21st, the Lazarus Group stole $1.5 billion in the largest crypto heist in history. From your experience tracking and prosecuting cybercriminals, are stolen funds truly lost forever, or can government agencies intervene?

Christopher: It depends. When you talk about numbers, people often guess that number is the economic damage; but we don’t have great data on that. We have a lot of anecdotal data and estimates. I don’t dispute it’s a huge issue, however. On the issue of being able to claw back some money, Occasionally, funds are recovered, as we’ve seen in some ransomware cases where the DOJ and Treasury have successfully clawed back payments. Success depends on access to wallets, tracking criminal operations, and international cooperation. But it’s not going to work in every case. 

Longer term, there are things that this ransomware task force that I've been co chairing for a number of years has suggested, which is, to not regulate crypto completely, but use things like,  “Know Your Customer” policies, money laundering rules, things that we use in other payment systems, and have better international cooperation on those systems, which I think would help trace some of these funds and make sure that we can either get them back or make it harder for the criminals to even access them.

Steph: What regulatory gaps still exist in combating cybercrime, particularly regarding emerging technologies?

Christopher: It’s always been a problem that technology moves quickly. As the old adage goes, regulation and laws move slowly. But I think we have a lot of tools to go after this now. For crypto, it’s about applying traditional solutions that worked in other areas. For instance, there was a lot of money laundering at one point, but we created money laundering rules. It doesn't mean to abolish crypto, but it’s about how do you make sure it’s used responsibly? 

I think the challenge is lawmakers don’t understand these technologies, either here or abroad. It's fast moving, and you want to have regulations that are technology neutral so they don't get outdated in like five minutes, so you don't have to keep changing them. But that's a challenge, especially when these things are new, and you're trying to figure out the best way to approach them without actually hurting their utility.

Steph: I especially agree with your last point—we want regulations to be nimble and evolve at the pace of technology.

Christopher: I think we’re not going to see that in this administration. I think they're very anti regulation. Both parties have been for many years, and the change in that was in the National Cyber Security Strategy under the Biden administration, which, for the first time really said, we have to look at this, both for critical infrastructure and for software vendors. But I suspect that in this administration, it's unclear whether that will continue to be a priority.

Steph: Turning to global policy discussions on technology and emerging technologies, the Paris AI summit brought nearly 100 nations together recently to discuss the safe development and use of AI and had these nations sign a declaration that's critical for establishing comment guidelines and international cooperation. However, the US has declined to sign the summit declaration. Can you provide the readers some of the background, the significance of the summit and the declaration and explain just what this decision might signal to the world?

Christopher: Well, I think the summit was an interesting idea. I helped work on a paper submitted by the Paris Peace Forum on drawing out the cybersecurity aspects of AI and what a governance framework could look like. When the administration came in, they revoked the Biden AI order—the safe use of AI and the guardrails around certain things.

Again, it's still early in the administration, and it's hard to tell with everything else going on. However, my sense is that by repealing that order, refusing to sign anything in Paris, and making statements against the EU's attempt to regulate AI—despite its own flaws—the U.S. has made it clear that, at least initially, it does not want to be bound by any restrictions.

There are real safety considerations with AI, but in the short term, until they establish a successor to the order or release something new, they seem unwilling to impose restraints on AI development—more for competitive reasons than anything else.

I attended a conference in London about six months ago, before the election, where a speaker said that the only real competitors in AI would be the U.S. and China because the EU had regulated itself out of the race. While I don’t completely agree with that, I think it reflects the U.S.'s current stance—they don’t want to regulate something they don’t fully understand or risk hurting their competitiveness. That decision could have real consequences, but for now, we’ll have to wait and see how it unfolds.

Steph: That's so fascinating. On the point of this push to deregulate technology and emerging technology, if you could advise the current administration to do one thing in the cybersecurity strategy, what do you wish they could hear from you? 

Christopher: There's two different aspects of that. I do think smart regulation is still important—I just don't suspect that's something the administration is gonna take up. What we finally had gotten to is at a political level, this being treated as a national and economic security issue, and we had resources devoted to that. We had more planning devoted to that, like the counter ransomware initiative, I just worry that the US will not continue to lead in that area, not because they may not want to, just because it's not at the top of their list of priorities. And I think that would be a mistake because the US plays a critical role in driving these policies and making sure you have better cyber security around the world, which helps us. I mean, it's not just altruistic. It helps the U.S., and that includes things like capacity building. You've heard all the stories about them. I mean, I think just today, they're shutting down the USAID. Those programs, at least the ones I know of, are designed to help us. Eventually, if you help a country or the State Department's programs, if you have a country build its capacity to have technical abilities. That helps us, because we need to cooperate with them when the adversaries are attacking them as proxies. 

So I'd say, continue to make it a priority. Get good people in place. And I think they're just starting to get some people in place, so that has to be filled out. Don't drop the ball on it. Even if it's not a personal priority for President Trump, it should still be a priority for the administration. They did make good progress, even in the last administration, last Trump administration. Outside of some statements by the National Security Advisor Waltz about China, there hasn't been a lot coming out of the administration yet on that.

Steph: Who in particular in the administration do you have your eyes on that you are excited to see what kind of stances they take on cybersecurity policy?

Christopher: Some haven’t been named or even rumored yet, so I haven’t heard many names for my old job at the State Department yet. So that would be critical. I think that the new National Cyber director at the White House is someone who is senior but doesn't have a lot of cyber experience, but has a lot of political experience. That would work out well if he has the ear of the West Wing, so we'll have to see where that goes, but that's just recently announced. The Directorate and the National Security Council, that Anne Neuberger used to run, they're sort of downgrading that a little bit. But as long as we have clear lines of responsibility between the NSC and the National Cyber Director of the White House, rather than having it kind of a jump ball, that could be good. A critical one's gonna be at DHS and CISA. I saw an announcement just the other day that Karen Evans, who used to be in the Bush administration, then in the first Trump administration at the Department of Energy. She’s a very competent person. 

So what I think is we'll have to see, and I think all those have to work together and DOD as well and Commerce and Treasury, they have to be a team. 

But I think we're gonna be a few months before we see that team starting to operate and see things come out of it. You also heard the administration talk. The one thing they've said about cyber often now, you've heard it from the CIA, you've heard it from National security advisors—they wanted to be much more aggressive offensively in cyberspace. And I think the Biden administration had also moved in that direction, but I'd say that is one tool in your toolkit, one arrow in your quiver, if you will. But it's not the only one. You have to like to look at all the other tools to have a unified response. Sometimes cyber is not the best response to even the cyber incident, but having strong tools make sense. 

Steph: Can you go more into depth on that? Can you get an example of a scenario where cyber, just a cyber response may not be the full picture? What other tools do we need?

Christopher: Well, if you have a cyber incident, it's just like anything else if you had a physical attack, you look at all the range of options you have, you could use military responses, you could use economic responses, diplomatic responses, cyber responses, to disrupt the adversary. You could do all those things. And you have to do the same thing. So if you have a denial of service attack—that is not espionage, because espionage is a different category—but something that's disruptive, cyber response might be one of your options, but then you have to have access to the systems you're trying to do. You're trying to bring consequences to the adversary. So what are those? And how can you achieve that with cyber so they don't just reset? Economic responses might be stronger. Diplomatic responses—working with other countries—might be stronger. A challenge there is, I think a lot of our allies are a little wary of us right now, but you need those partners to work together, because they're targets, too. And then military responses are part of the picture, but you have to tailor it. You got to look at who's doing this to you and say, What is it gonna change their mind? What's gonna make them think this is not worth it for them? And that's gonna be different for whoever the adversary is. It's gonna be different for Russia than it is for China. It's gonna be different for North Korea than it is for Iran. So you've got to have a unified response and organized response, and a cyber response could well be part of it, but may not be the best or the only one.

Steph: I think what’s really interesting about that is—I think of cyber crime as almost a business, and it's, it's currently a very lucrative one. The goal, as you mentioned, is to remove the financial incentives, making it a less attractive business proposition. But what’s particularly challenging is when cybercriminal operations are backed by countries that already have strained or severed ties with the U.S. and its allies. In those cases, there’s less diplomatic or economic leverage to deter their actions without risking a significant escalation of tensions.

Christopher: There’s a continuum there: if you're going after a nation state, you're going to use different tools than when you’re going after a criminal group because you want to lock up the criminals, you want to interrupt their money flow. But if those nation states are acting as safe harbors, as we've seen with Russia, for ransomware groups and criminals, then you have to think about how else you can reach them. And that's not always that easy, right? 

Steph: Completely agreed.

Christopher: And then, the other thing I'd say is that you have, there are, they're kind of like minded countries, but there are a lot of countries in the middle. And that's why things like capacity building are so important, because a lot of those countries may not help us now, not because they don't want to, but they just don't have the capability to do it. You need to work with them, to bring them along, so that they will help us in these things. So that's not the Russians and China's in the world, but it’s a lot of the countries who are maybe less developed and don't have the tools and we'd be willing to help.

Steph: On your work with your work as president of the Global Forum on Cyber Expertise (GFCE), I'd love to hear about some of the initiatives that the group has brought to make that happen, and to bridge those gaps.

Christopher: I was the president for five years. I just stepped down from that, but was still involved with them. And the whole idea of that group was to set up a better coordination mechanism so that the limited resources you have for this are used in a judicious way, that you really reach into countries in a demand driven way, instead of just saying, we give you something. But what do they really need? You follow up with those countries, you understand the political goal of these countries. You could create a sharing platform so they can share information among and between them more efficiently. And all that succeeded. Now I think it's great. I think that there's 260 members and partners, including over 60 countries and private sector, civil society, and others. So there's been a number of initiatives, including trying to bring the traditional development community, like the World Bank, and the cyber community to talk to each other together to make a common purpose. 

There's a big conference coming up in Geneva, the second one of these, the global conference on the Global Cyber Capacity Building Conference, the GC3B which will be in Geneva in May. And that brings these communities together. It's another way to move forward. And so it's really organizing and helping create a community for this somewhere more efficient and in these activities. 

Steph:  Are you interested in seeing how the upcoming conference in Geneva will contribute to capacity building? In other words, are there specific countries you’re particularly eager to watch as they develop their cyber capacity?

Christopher: We've seen some real activity. For instance, the ASEAN countries, Singapore has played a pretty key role there in working with those countries, creating a training center for them. So that's one area. There's been growth in Latin America and more generally, the OAS, the organization for American States, has been involved working with GFCE and really making sure that as many more countries have national strategies, and which is sort of the foundational thing you need, but also capabilities, Africa is still a big issue. We've created an African cyber experts network and a hub there, which is important. The Pacific Islands is another place that often is a proxy for attack by some adversaries and others, and I think they've been more active. So really, it's not any one country or area in the world, it's really everyone. And I think that I've seen real progress, but there's a whole lot left to do. You go to these UN meetings, and the number one thing you hear from a lot of the developing countries is we need this help, that this is the most important thing to us. Unfortunately, there's simply not enough resources to go around right now.

Steph: For our readers that aren't as familiar with what cyber capacity building means, can you elaborate on what it means and what the primary goals are?

Christopher: It's a range of different issues, everything from technical training, to policy training. On the policy front, the GFCE is organized into several pillars. 

1. One is national strategy and policy. Having a national strategy for cyberspace, for cybersecurity (or broader cyber and digital issues) signals that the country has the political will, and it sets up the roadmap, and that's key. And lots of countries have that, but still many don't. 

2. The second one is incident response and Computer Emergency Response Teams (CERTs). So having a national level CERT dealing with incident response is really important. 

3. Third one is cyber crime: having laws in place, trained officials, etc. 

4. Fourth one is awareness skills and training, obviously important. 

5. And the fifth one, which is new, is emerging technologies. 

So in each of those categories, we're helping countries really understand this. The reason that's important, as I said before this, it's not just altruistic. Obviously, you want to help countries not have a weakest link—you want to help them have stronger cybersecurity. But from the U.S. perspective, there are two things that capacity building helps do. One, which is not the goal, but the result, is if you're helping countries, they then kind of understand your general viewpoint. We want an open, free, interoperable cyberspace. Some other countries want much more of a closed system with state control. They want to moderate content and go after dissent. That's not what we want. So a lot of these countries are on the fence. They like the idea of stability, but they want security. And it begins, I think that begins to help them think, okay, that this, this view of the world is better for us. It's better for our economies and our people. But I think one of the primary goals is that when you help these countries build their technical capabilities, they can work more closely with you, your technical people, your policy people, to respond to and to deal with cyber incidents that cross many different national borders. And I think that's a key thing going forward, too. And so I think the more we do that, the better the payoff is for the U.S. and other countries in the long run.

Steph: We're nearing the end of our time here. I just have two more questions. The first question is, given your roles on the board of the Center for Internet Security and your involvement in the GFCE, how do you envision the evolution of public private partnerships? And so I know you've mentioned, you touched on this briefly, of how businesses and government are interacting to respond to enhancing both national and global cyber security. What innovative initiatives do you think are emerging to build cyber capacity through those partnerships?

Christopher: I think it's critical to have those. There's been this whole debate in the UN about stakeholders, both civil society and industry, participating, and the Russians blocking a lot of them for more geopolitical reasons. But industry often has the best view of what's actually going on out there, and when the tools are because they operate, a lot of infrastructure. Civil society has unique perspectives that governments often don't have, and you need those voices at the table. The GFCE was constructed this way, to have these different pillars. We have civil society, we have academia, we have a couple dozen industry players. We have governments. And that works well. There has been some what we call multi-stakeholder activity in the UN—it's still not perfect. There were some good ones with the Cybercrime Convention, again, not perfect, but, I think it's critical to have them there. Now, the other things, we've talked about public private partnership for as long as I can remember, and it's become kind of a mantra. 

There are some good examples where you have industry and government, like on the same response floor, but I think we need to expand that and understand that all these parties have a role to play here. Even governments will not be able to handle this on their own.

Steph: I think being in the legal field must bring a really interesting vantage point,where you get to reach across the aisle and understand issues from various angles—for you, across civil society, industry, and government. How has your law degree informed your perspectives on cyber security policy? How has it helped you develop the skill sets that you need to bridge some of the existing gaps between the policy and technical communities?

Christopher: I think I went to law school for the same reason many people go to law school, since I wasn't exactly sure what I wanted to do when I wanted to have a lot of options. And law school seemed like a good option, that it seemed like was interesting. But I really like law school. You don't need to be a lawyer to go into cyber policy, but it really teaches you a way of thinking and analyzing problems that I think is very helpful to your later career, even if you're not doing straight law anymore. I think in the policy realm, it helps you think critically about issues, write critically about issues, understand competing priorities in a way that you might be able to find other disciplines. But I think law is particularly good at honing those skills and training those skills. 

It's a big investment of time and money, but I think law school really helps you, and also, depending on where you go to law school. The law school I went to, they trained you to be a lawyer, but they also talked a lot about policy issues. They talked about legal policy issues. They went beyond just the learning contracts or torts or criminal law. They really went to the kind of larger issues that informed all those and I think that, again, helps you think about how you, how you approach these issues when you go out of law school. So I think it's, I think it's excellent training. I think it's also a good environment, usually, where you have a lot of compatriots, classmates from different walks of life and different backgrounds, that helps you think about these issues in a broader way as well.

Steph: For those aspiring to such a career at the intersection of technology, law and policy, what advice can you give? What essential skills and experiences should they seek out?

Christopher: I didn't have a clear career path. I think it's clearer now for people. But, you know, I think the key thing is just to have a passion for the subject, to really care about it. This is really what you want to do, and to be open to new opportunities. You may not get the first job or the best job, you may not get the best job you want as the first job, or you might, but you don't, you don't have to continue to do anything for the rest of your life. You can move around like I did, and I think those different perspectives help you. 

So I think it's useful to have a little bit of technical training. You don't need to be a coder to be a cyber policy wonk. Indeed, I think that scared away a lot of the top decision makers on this. They thought it was too technical, but it's, it's just like nuclear: you don't need to be a nuclear engineer to understand nuclear policy issues. I think where lawyers are particularly valuable, is being able to translate between the technical community and the policy community, because often they speak different languages, they're not good at communicating. If you could be that bridge, that's very useful. 

I think the positive news is there's many more opportunities out there than there were, you know, 20 years ago or 30 years ago. This is still a growth area. There's lots of, you know, things and companies, think tanks, government (although we'll see how big our government's going to be after a few months), but I think there certainly are more opportunities, and it's still something that's being prioritized, and I think that's going to continue to grow. So if you have that enthusiasm to really care about this, I think it's going to make a big difference.

Steph: Christopher, thank you so much for sharing your incredible insights. It's been so fascinating to hear about your journey and how you've shaped and are continuing to shape the future of cybersecurity and policy. Your work is really inspiring, and I definitely see myself following in similar footsteps, in a similar path, and it's really been an honor to have you on the Cyber Jurist. Thank you so much. 

Christopher: My pleasure.

Joe Wheatley, a leading figure in law, tech, and national security, spoke with Stephanie Hwang in the first episode of Cyber Law Dialogs. They discussed the global nature of cybercrime, the role of AI and data-driven tools in combating bad actors, and the importance of public-private partnerships in enforcing cyber regulations across different jurisdictions.       

Steph: Welcome to the very first episode of the Cyber Law Dialogues. This series is dedicated to creating open, inclusive conversations around cyber law and policy. I'm your host, Stephanie Hwang, and in this space, we aim to break down conversations around cyber law and policy to empower the next generation of cyber leaders by inviting the brightest minds to share their insights. Today, we'll be exploring questions like: What is cybersecurity? What does the future of this evolving field hold? How can we ensure a more transparent, collaborative, and forward-thinking digital landscape?

I'm excited to kick off the series with someone who has been an incredible mentor and guide to me in tech policy, Joe Wheatley. Joe is a leader at the intersection of law, tech, and national security. After graduating from Princeton University with a degree in Public and International Affairs, he earned his JD at Penn Law. Joe has had an illustrious career at the Department of Justice, tackling complex transnational crime and cyber issues, including dismantling organized crime networks as the deputy director of Task Force Vulcan. In 2021, Joe took on a new challenge at Amazon, joining their Counterfeit Crimes Unit, where he leads efforts to hold bad actors accountable in the digital marketplace—a space that's becoming a critical front in the fight against cybercrime.

Joe, you've been a mentor to me since my early interest in tech policy and law, from working on my senior thesis to guiding me through career pathways post-graduation. I couldn’t be more excited to have you here as our first guest. Thank you for being here.

Joe: Thank you so much for having me. I’m really honored to be here.

Steph: You've had an incredible career trajectory in cyberspace and law, from your early days as a trial attorney at the DOJ, combating transnational crime, to now leading Amazon's fight against counterfeiters. Can you walk us through your journey and what inspired you to specialize in these areas?

Joe: Sure. From a young age, I was fascinated with technology—computers, email, the web, gadgets—so I knew I wanted to dive into that for work. After college, I took a year off to work as a paralegal in the DOJ’s Antitrust Division. I enjoyed it, but knew it wasn’t the right fit for me. I wanted to be a lawyer, and by the end of that time, I was pretty convinced I wanted to be a prosecutor. During law school at Penn, I focused on criminal law, supporting a professor’s research, doing internships with the DOJ, and writing about these issues for law journals.

When I got to the DOJ, I was assigned to the Organized Crime and Racketeering Section. It’s a broad name, but essentially, we dealt with criminal groups committing various crimes, many involving cyber issues. These large organizations rely on complex systems—botnets, phishing, hacking—to commit crimes. I worked closely with the Computer Crime and Intellectual Property Section on many cases. Over time, I knew I wanted to dive deeper into tech and cyber law, and eventually, I found my way back into it.

Steph: It’s fascinating to see how areas like IP, criminal law, and technology intersect. The Amazon Counterfeit Crimes Unit (CCU) is an extremely cutting-edge initiative. In a world where online marketplaces are increasingly vulnerable to counterfeit products and cybercrime, can you explain the mission of the CCU and how it operates?

Joe: Absolutely. The team was created in June 2020 to address a gap at Amazon. We had world-class controls to prevent bad actors from entering the store and listing products, but we didn’t have a team focused on external enforcement—holding these actors accountable. We do this through two channels: civil suits, often with brands, and criminal referrals to law enforcement, which they investigate and prosecute.

Steph: It sounds like a complex and evolving challenge, especially given the global scale. You’ve mentioned using tools like machine learning and big data. How do these technologies come into play in your operations, and how much of the process is automated versus relying on human oversight?

Joe: A lot of the lead generation is automated through signals like customer complaints or brand notifications—critical mass indicators that something’s wrong. Tools like Brand Registry help brands report infringements. But when it comes to external enforcement, that’s where the human element kicks in. For example, building a referral for law enforcement is done by people—me, our investigators, analysts—working with brands to explain how we identified the bad actors. So while we use vast data, human oversight is crucial for enforcement.

Steph: You’ve worked in the trial and conviction space at the DOJ. Is this also part of the process at Amazon, or do external actors handle that?

Joe: We support law enforcement, providing data and testimony when needed. If law enforcement has an investigation, we contribute by providing evidence and working with brands to support the case. We stay involved through the entire process, from investigation to conviction.

Steph: Fascinating. You mentioned technological tools like signals and filters. Do you see these methods becoming a model for other companies or even law enforcement agencies fighting cybercrime?

Joe: I do, and I think everyone is starting to rethink how they can look at data, aggregate it, break it down, and pull out lessons, conclusions, and suggestions. In law enforcement, when I left in 2021, we were experimenting with those kinds of things. All the agencies were, but now it’s like rocket fuel has been added with AI models and machine learning, which is a subset of AI. Whenever we bring a new case to law enforcement, we try to help them break it down. That’s part of our value as a team—there’s all this data, and it's not enough to just put it on the table and say, “This is what this says.” You still have to explain it in a way that people can understand.

When I was a prosecutor, and now still, if I want to be persuasive, I almost have to explain it to myself first: “If I had no background in this, how would I explain it to someone so they’d believe me and want to proceed?” That’s a key part. There’s also the conversation between people who see the technical side day to day and government agencies that might not be involved on the ground as often. That’s definitely crucial.

Steph: Let's get into the mind of a bad actor, as you call them. When people think of cybercrime, they might picture nameless, faceless hackers acting for financial gain. That was my first impression before I started researching. But it’s a lot more complex. There are nation-state hackers, ransomware gangs, cybercrime units, and more. You've worked on major national security cases in the past, and now you're addressing cybercrime in a commercial context. What constitutes 'bad actors'? Has your understanding changed from your time at the DOJ to now at Amazon?

Joe: My view hasn’t changed much. Racketeering can wear any face—it’s essentially a menu of crime. The more sophisticated the organization, the more elaborate the menu. They might choose fraud, money laundering, smuggling, bribery, extortion—you can fit them all under those umbrellas.

With counterfeiting, as reflected in our civil suits with brands, they can commit crimes at arm’s length without being in one place. They operate through chat rooms, encrypted messaging, and can outsource a lot of the day-to-day operations. You might have a network in 10 countries, and some members may never meet. Even if they know each other, it’s through a small community where they vouch for one another. It can be quite faceless—the digital world doesn’t require the criminal to be nearby. They could be halfway across the world, and that’s why we work with law enforcement globally. We get great support from agencies in China, the EU, the UK, the US, and we’re constantly expanding to other jurisdictions in Africa, the Middle East, and India. Ultimately, you have to find the person—figure out where they are and how to get them. You can disrupt the infrastructure, but you still need to reach the people behind it.

Steph: Speaking of the digital versus real world, can you share an example of a telltale sign that indicates you're dealing with a more sophisticated group rather than an isolated event?

Joe: Sophisticated groups, as seen in our civil suits, will often falsify documents to commit wire fraud on Amazon. They try to make us think their products are authentic when they’re not. Some documents look just like legitimate receipts or letters of authorization from a brand—that's a higher level of sophistication.

You also have bad actors using encrypted communications or VPNs to mask their locations, which we note in our suits. Sometimes, they’re not in the same place as other parts of the distribution chain. It could involve multiple countries. Another example is when bad actors rent or buy accounts. Someone creates a selling account, but then it’s handed over to someone else, and the original person gets paid to let them use it. The account documentation might be legitimate—real driver’s license, real person on camera—but that person hasn’t run the account in months. That signals a higher level of sophistication.

Steph: How do you identify when it’s not the original person running the account?

Joe: We and other e-commerce platforms use the INFORM Act, which requires identity verification for sellers. If you re-engage for additional verification, the original person might appear on camera, or they might not. Even if they do, they often have little knowledge of what’s been going on with the account. If they’d been using it, they’d have no problem explaining what they’ve been selling. Instead, they come back cold and ignorant—that’s a telltale sign.

Steph: Taking a step back, how do global counterfeiting networks you fight at Amazon compare to traditional organized crime groups you tackled at the DOJ? Are there parallels in their structure and operations, or are they fundamentally different?

Joe: At the DOJ, I worked on cyber and intellectual property crimes, but I spent a lot of time on violent crime—murders, robberies, shootings, assaults. It was a learning curve to shift to counterfeiting. I’d encountered counterfeiting before but at a high level, not as a specialty. So, it took time to learn the language and statutes.

In terms of sophistication, these global counterfeiting networks are incredibly sophisticated. Counterfeiting on a global scale is a $100 billion industry—hundreds of billions. Very few things generate that kind of money. The people who pull it off are highly organized. You need big manufacturing, big distribution, and people who create false documents and set up accounts to route goods worldwide. That’s no small thing.

In some ways, the violent criminal groups I encountered didn’t have this level of sophistication. They were smart, but this is on another level.

Steph: Counterfeiting, as you said, is a billion-dollar business with many complexities, one being the way cybercriminals operate in different jurisdictions to evade detection. With Amazon's global presence, there must be a lot of complexities in navigating regulations across different regions.

For example, in Europe, you have frameworks like GDPR, which place stringent requirements on data privacy, while in the US, regulations are more fragmented, with no single overarching privacy law at the federal level. In academic circles, there’s an ongoing conversation about how this patchwork of regulations creates opportunities for cybercriminals to exploit gaps. What are the biggest challenges you face in holding bad actors accountable in this legal landscape, and how do you adapt?

Joe: That’s a great question, and it's a regular topic of conversation. With respect to privacy laws and national laws in different jurisdictions where Amazon and bad actors operate, we rely heavily on our in-country legal teams and outside counsel. There’s nothing we do without consulting them—whether it’s privacy law, corporate law, or any other area. There are differences between the EU, the UK, Asia, and North America, so we tailor how we support law enforcement in each place. That includes what we put into referrals, what we can share, and what we can’t. It’s a challenge, but one we embrace because we want to get those referrals to the law enforcement agencies best suited to go after the bad actors. It’s complicated, but it's a necessary complication we address to make it work.

Steph: Absolutely. And it’s also a race against time, dealing with these sophisticated networks of cybercriminals who often have the advantage of being ahead of law enforcement.

Joe: Exactly. What we try to do when working with law enforcement in a specific country is establish a standard operating procedure with our in-country legal team and outside counsel. That way, we don’t have to revisit every detail each time, because we already know the guardrails—what's okay to share under their national law and what support is appropriate. Then, we operate within that framework.

Steph: Looking ahead, do you see the future of regulatory consistency in cyberspace moving toward a unified global approach to cybercrime regulation, or will jurisdictional gaps continue to pose challenges?

Joe: I don’t see the differences between countries being harmonized anytime soon. If it were going to happen, it would have already. It doesn’t seem to be converging on a single point, and I’m not holding my breath. Every country has its own calculated risk assessment on what matters to them, so I don’t see enough alignment to make that happen.

Steph: How do you think legal frameworks need to evolve? Feel free to speak to the role of public-private partnerships.

Joe: A major focus for our Counterfeit Crimes Unit and Amazon’s larger anti-counterfeiting efforts is protecting customers, brands, and the public through self-enforcement and self-policing. We want to keep bad actors out of the store, and if they do get in, we shut them down before their listings go live. Amazon shuts down many listings based on indicators of counterfeiting activity. If bad actors make it in, we shut them down, and if they sell something, we go after them through external enforcement.

The scale of global commerce is too large for any one law enforcement agency, company, or country to handle alone. That’s why we need a larger effort to stop bad actors. One example is the Anti-Counterfeiting Exchange (ACX), which Amazon helped start. It’s an exchange where e-commerce stores share data on bad actors to hold them accountable. It’s too global a problem for any one entity to handle, so it’s a group effort. That’s one of the trends I see continuing in the future.

Steph: As we wrap up, given your experience tackling issues from MS-13 to global counterfeiting, what keeps you motivated to work at the intersection of law, tech, and crime? How do you see your role evolving over the next five years?

Joe: I see it as deepening relationships with law enforcement to get data and analysis to them sooner so it can be more actionable. I also see more efficiency in spotting criminal activity through AI, which can help identify patterns in bad actors’ networks. This applies to law enforcement too—not just companies. Governments have large amounts of data that could point toward bad actors, so it’s about getting better at managing that data and extracting meaningful insights. The data is always growing, so the challenge is not being overwhelmed by it but learning how to use it effectively.

Steph: With your experience in both government and corporate sectors, what’s a key lesson you’ve learned that applies to navigating the future of cyber law, especially for students or young professionals?

Joe: Don’t be afraid to fail. If you’re afraid to fail, you’ll avoid certain experiences or goals where you could really make an impact. Don’t be afraid to approach people and ask questions. A lot of people have learned great lessons the hard way, and that knowledge often sits untapped. Also, if you're in law school, sign up for things—try new things. For example, law journals often struggle to get enough content, even though people assume they’re fully stocked. Opportunities often go unclaimed because people think someone else has already taken them. Be one of the people who throws their hat in the ring. Getting rejected doesn’t mean there’s something wrong with you, so go for it and be willing to fail.

Steph: That’s great advice, thank you for sharing. My final question is, what sources should students and aspiring lawyers follow to stay updated on cybersecurity news? One helpful platform for me has been Inside Cybersecurity. I find their articles very interesting and informative. Any other sources you’d recommend?

Joe: I’m a big believer in news feeds on social media. It’s constantly washing over you, and through platforms like LinkedIn or Twitter, you can see updates on what people are reading, doing, and finding important. That’s a big source for me.

Steph: Thank you so much for sharing your incredible insights. It’s been fascinating to hear about your journey and the way you're shaping the future of cybercrime enforcement. As someone who hopes to follow a similar path, I’m really inspired by your work, and it’s been an honor to have you as our first guest in the Cyber Law Dialogues series.

Joe: Thank you so much for having me. It’s been a real pleasure.